1.3 Elements of Risk
It is very important for a CRISC aspirant to understand following terminology associated with risk identification:
- It is very important to have knowledge of threats including motivations, strategy and techniques of those who perpetrate threats to manage the threat. The better understanding the risk practitioner has of the mind of the attacker or the source of the threat, the more effective the risk management activities will be in controlling the threat.
- At the same time an enterprise needs to know its own weaknesses, strengths, vulnerabilities and the gaps.
Following table list down IS assets and their related risks:
The risk practitioner should determine criticality of each asset so that priority may be given to protecting the critical assets first and addressing other assets as per requirement.
This ensures that the cost of controls is not more than the cost of assets.
Following are some factors for calculating asset value:
Reputational loss and other penalties for legal noncompliance
Impact on associated third parties, business partners
Impact on business continuity
Breach of contracts
Loss of competitive advantage
Generally, asset value is calculated on the basis of impact on confidentiality, integrity and availability (CIA). However, it is important to standardize the terms and values to be used by all the departments.
Key responsibility of a risk practitioner is to ensure that various types of threats applicable to an organization are identified and documented.
Threats which are not identified are more vulnerable than a threat that is well documented.
Sources of threat identification include past incidents, audit reports, media reports, information from national computer emergency response teams (CERTs), data from security vendors and communication with internal groups.
Risk scenarios are used at the time of threat and vulnerability assessment to identify various events and their likelihood and impact.
Risk practitioner should ensure following controls for Internal Threats:
System access to be provided on the basis of need-to-know and least privilege.
To ensure stringent background verification (where permitted by law) process before hiring any employee. It is important to review the qualifications and attitude of prospective employees.
Employees should be required to sign a nondisclosure agreement.
Regular awareness sessions and management reviews to remind employees of organizational policies and their responsibilities.
Exit policy to be properly defined and implemented. At the end of employment, an employee should return all organizational assets (e.g., laptops, mobile phones, access cards, etc.) so it cannot be misused. All logical and physical access should be disabled immediately.
Risk practitioner should ensure following controls for External Threats:
Use of government data and weather monitoring services to identify natural events like flood, earthquake etc. and to take necessary steps to be prepared for such events.
To carry out risk assessment and audit of IT infrastructure and bridge the gap by establishing necessary controls.
Use of skilled workforce, effective tools and techniques to guard the assets against the highly skilled hacking community.
Most breaches happen because targets are not well prepared. Many organizations are breached because they were identified as soft targets and hackers took advantage of their vulnerabilities.
Emerging threats are indicated by:
unusual pattern or activity on a system,
unusual system or network performance,
increase activity in logs.
Even though logs are captured, they are not monitored or acted on a timely basis and hence compromise cannot be prevented.
New technology without proper security consideration becomes a source of new vulnerabilities.
It is very important for the risk practitioner to monitor the use of new technologies particularly if these technologies promise cost savings or competitive advantage.
Vulnerabilities are weaknesses in the security. Existence of vulnerability is a potential risk.
It represents lack of adequate controls.
An organization should conduct regular vulnerability assessments and bridge the gap before they are found by an adversary and exploited.
Difference between Vulnerability & Threat
One of the favorite and most preferred game of ISACA is to get us confused between the terms
‘vulnerability’ and ‘threat’ during CRISC exams. Let us understand basic difference between
the two so they cannot trick us anymore.
Network vulnerabilities are often related to poor installation and misconfiguration of equipment.
Misconfiguration and failure to update operating system (OS) code correctly and on a timely basis possess very high risk.
Network equipment should be hardened by disabling any unneeded services, ports or protocols. Any open services can be exploited by an attacker.
Risk practitioners should have sufficient information about emerging technologies and related vulnerabilities.
Physical controls are a very important aspect in security as threat agents who are able to circumvent physical access to systems have the potential to bypass nearly every other type of control.
Physical security controls include locks, CCTV monitoring, biometric access control, security guards, fire suppression systems, heating ventilation and air conditioning controls, lighting, and motion sensors.
Applications and Web-facing Services
One of the most common entry points for hackers is web based applications.
Applications are vulnerable to attacks like buffer overflows, logic flaws, injection attacks, bugs, and many other common vulnerabilities.
Applications located at insecure locations such as demilitarized zones are more vulnerable to an attack.
It is recommended for risk practitioners to use tools from the Open Web Application Security Project (OWASP) to test web-facing applications.
The risk practitioner should ensure that an adequate backup facility is available in case of power failure or other environmental conditions.
Equipment such as uninterruptible power supply (UPS), backup generators and surge protectors can help to prevent system damage or failure.
Functioning of these equipment must be tested at regular intervals.
It is important to identify and document all risks related to the supply chain.
Any interruption in the supply chain may affect the ability of the organization to function.
Operational processes must be defined and implemented in a consistent manner across the organization.
Unstructured processes result in inconsistent management, lack of governance and reporting, and failure to ensure compliance with regulations.
Equipment should be monitored for its MTBF (mean time between failure) that indicates its anticipated life span and when it should be scheduled for removal or replacement.
Four cloud deployment models are listed below:
Risk practitioners should be aware that outsourcing of IT services does not remove accountability of the organization.
Risk of cloud computing should be considered before making outsourcing decisions.
Laws and regulations of the country of origin may not be enforceable in the foreign country. At the same time, the laws and regulations of the foreign outsourcer may also impact the enterprise.
Organizations can enforce strong security controls by the supplier only if the same is included in SLA. Without addressing security requirements directly in the outsourcing contract, the outsourcing company has no assurance that the provider will be compliant with specific security requirements.
Right to audit is an important clause. However, service providers may not allow you to audit them directly. Instead they may provide a proof of compliance conducted by an independent auditor.
Risk associated with big data:
As all the data is stored at one place for analysis, any unauthorized access can have adverse impact.
Analysis of data without the consent of the subject, can impact privacy laws.
Also, when data is aggregated for analysis, information that is not individually identifiable information might become identifiable.
Vulnerability Assessment and Penetration Testing
Lack of adequate controls indicates a vulnerability. Vulnerability can be exposed by a threat which results in risk of confidentiality, integrity and availability.
Vulnerability assessment is a process to identify weakness in the system or processes.
It can be carried out either by a manual process or automated tools.
Automated tools have the ability to analyze large amounts of data, run multiple tests and identify weakness.
A manual test will give better results when content is not easily quantifiable and requires judgment.
To validate the results of a vulnerability assessment, the organization may conduct a penetration test.
An expert penetration testing team uses the same tools and techniques as used by a real hacker.
It is advisable to conduct penetration after any major infrastructure changes are made.
Findings of VA & PT should be used by risk practitioners to bridge the gaps.
At the same time, absence of any findings, should not be considered as a full proof system. The system may still remain vulnerable to unknown vulnerabilities (zero day exploits).
Configuration management has the greatest likelihood of introducing vulnerabilities through misconfigurations and missing updates.
To determine the threat and vulnerability, risk scenarios are used for all elements of a business process and attempt is made to identify the likelihood of occurrence and the business impact if the threats were realized.
Configuration management is the process of managing and updating system features, parameters and other functional settings. Misconfiguration and missing updates is the reason why configuration management is considered as the most susceptible to the introduction of an information-security-related vulnerability.
Misconfiguration and failure to update operating system (OS) code correctly and on a timely basis possess very high risk. Hackers will first try to exploit the vulnerabilities due to poor configuration.
Risk practitioners should ensure that the organization is having a robust configuration management process in place.
Input Validation Check
Absence of input validation check is one of the most serious vulnerabilities and allows attackers access to data through a web application.
In absence of validation checks in data input fields, attackers can exploit other weaknesses in the system. For example, through SQL injection attacks, hackers can illegally retrieve application data.
Risk practitioner to ensure that all the web applications should have appropriate input validation control to restrict entry of any unusual code in the system.
Off-shore Data Processing
Most important factor to be considered while evaluating the proposal of off-shore data processing is prevalent laws and regulations. Risk practitioners should be aware about privacy laws and its requirements. Privacy law may prohibit transfer of sensitive customer data to an off-shore location.
Risk practitioner should consider following important aspect with respect to outsourcing contracts:
Outsourcing contracts should include information security requirements for the service provider. If security requirements are not covered in outsourcing contracts, it will be difficult to get the same implemented by service providers.
Service providers should not be allowed to subcontract the critical processes. Subcontracting increases the risk of data leakage.
Outsourcing contracts should have provision to access the compliance of the service provider. Compliance can be verified through internal audit or by obtaining a certificate from an independent auditor.
Compliance oriented business impact analysis
Purpose of a compliance oriented business impact analysis is to identify all the compliance related requirements applicable to the organization. These requirements are mapped with business processes and objectives.
It is the most effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objective.
Key aspects from CRISC exam perspective
1.3 Elements of Risk